Category: Cisco IOS

Overview

A Certificate Authority is a trusted entity is that issues digital certificates to devices which need secure communication and plays an important part in the public key infrastructure (PKI). There are several CA implementations provided by third-party CA vendors like Microsoft or the open source OpenSSL implementation but in this article we will focus on configuring the internal Certificate Authority server which is available on Cisco IOS. We will also discuss about the certificate enrollment process with a CA and how these digital certificates can be used for authentication purposes. This feature has been introduced in Cisco IOS version 12.3(4)T and it’s available only on Cisco IOS images with the security feature set.

Overview

Port Address Translation (PAT), is an extension to the well known Network Address Translation (NAT) protocol that allows multiple devices on a local area network (LAN) to access Internet resources using a single public IP address. NAT is defined in RFC 1631 and the main purpose of using it was to slow the depletion of public IP address space. A practical use of PAT is for example when an ISP allocates a public IP address for an organization which has many devices which need Internet access. PAT uses private IP address classes defined in RFC 1918 for all inside devices and also uses port numbers to identify the connection. When an internal host wants to communicate with the outside it sends a datagram with its private source address and a random port. The NAT router will then rewrite the source address and port with its public IP and sends the datagram to the requested resource. The response will come back to this same public address and port combination (called a socket) and can be translated back again.

Overview

Dynamic Host Configuration Protocol (DHCP) is a client/server protocol which allows you to allocate network configuration parameters like IP addresses, subnet masks, DNS servers, default gateways and many more to end devices. This protocol uses the UDP ports 67 and 68 as defined in RFC 2131. Nowadays allmost network devices support DHCP including workstations, printers, IP phones, handheld devices etc. Using dynamic IP address assigment you can minimize errors which can appear on manual configuration and also reduce the administrative overhead. Cisco embedded the DHCP server functionality beginning with IOS Version 12.0(1)T. By default, the Cisco IOS DHCP server and relay agent features are enabled but are not configured.

Overview

Device logs often offer valuable information when troubleshooting a network issue. Interface status, security alerts, environmental conditions, CPU process hog, and many other events on the router or switch can be captured and analyzed later by studying the logs. By default, all log messages on a Cisco router or switch are sent to the console port. Only users that are physically connected to the console port may view these messages. If you are connected to a Cisco device via Telnet or SSH and want to see console messages, you can enter the command terminal monitor in privileged exec mode. Cisco devices support five types of logging:

Overview

Cisco Discovery Protocol (CDP) is a Cisco proprietary protocol which is used to collect information about neighboring routers and switches. It operates at Layer2 (data link layer) and comes in two versions CDPv1 (initial release) available since IOS version 10.3 and CDPv2 available from IOS Version 12.0(3)T. CDP is very useful when you need to gather information about the network topology like IP addresses, device capabilities, platform and also offers a quick way for troubleshooting and documenting the network. CDP is enabled by default on all available interfaces. CDP traffic between devices is not encrypted so this can be a real security issue. As best practice is recommended that CDP should be disabled mainly on devices that connects to external networks.